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Abstract — In search of a quantum key distribution scheme that 
could stand up for more drastic eavesdropping attacli, I discover 
a prepare-and-measure scheme using A^-dimensional quantum 
particles as information carriers where TV is a prime power. 
Using the Shor-Preskill-type argument, I prove that this scheme 
is unconditional secure against all attacks allowed by the laws of 
quantum physics. Incidentally, for N = 2" > 2, each information 
carrier can be replaced by n entangled qubits. And in this case, I 
discover an eavesdropping attack on which no unentangled-qubit- 
based prepare-and-measure quantum key distribution scheme 
known to date can generate a provably secure key. In contrast, 
this entangled-qubit-based scheme produces a provably secure 
key under the same eavesdropping attack whenever A'^ > 16. 
This demonstrates the advantage of using entangled particles as 
information carriers to combat certain eavesdropping strategies. 

Index Terms — Entanglement purification, local quantum op- 
eration, phase error correction, quantum key distribution, Shor- 
Preskill proof, two way classical communication, unconditional 
security 



I. Introduction 

KEY distribution is the art of sharing a secret key between 
two cooperative players Alice and Bob in the presence 
of an eavesdropper Eve. If Alice and Bob distribute their key 
by exchanging classical messages only, Eve may at least in 
principle wiretap their conversations without being caught. So, 
given unlimited computational resources. Eve can crack the 
secret key. In contrast, in any attempt to distinguish between 
two non-orthogonal states, information gain is only possible 
at the expenses of disturbing the state [1]. Therefore, if Alice 
and Bob distribute their secret key by sending non-orthogonal 
quantum signals, any eavesdropping attempt will almost surely 
affect their signal fidelity. Consequently, a carefully designed 
quantum key distribution (QKD) scheme allows Alice and 
Bob to accurately determine the quantum channel error rate, 
which in turn reflects the eavesdropping rate. If the estimated 
quantum channel error rate is too high, AUce and Bob abort 
the scheme and start all over again. Otherwise, they perform 
certain privacy amplification procedures to distill out an almost 
perfectly secure key [2], [3], [4], [5], [6]. Therefore, it is 
conceivable that a provably secure QKD scheme exists even 
when Eve has unlimited computational power 

With this belief in mind, researchers proposed many QKD 
schemes [6]. These schemes differ in many ways such as 
the Hilbert space dimension of the quantum particles used, 
as well as the states and bases Alice and Bob prepared 
and measured. The first QKD scheme, commonly known as 
BB84, was invented by Bennett and Brassard [7]. In BB84, 
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Alice randomly and independently prepares each qubit in one 
of the following four states: |0), |1) and (|0) ± \l))/V2, 
and sends them to Bob. Upon reception. Bob randomly and 
independently measures each qubit in either the {|0), |1)} or 
{(|0)±|l))/\/2} bases [7]. In short, BB84 is an experimentally 
feasible prepare-and-measure scheme involving the transfer 
of unentangled qubits [6]. Later, BruB introduced another 
experimentally feasible prepare-and-measure scheme known 
as the six-state scheme [8]. In her scheme, Alice randomly 
and independently prepares each qubit in one of the following 
six states: |0), (|0) ± |1))/V^ and (|0) ± i\l))/V^; and 
Bob measures each of them randomly and independently in 
the following three bases: {|0),|1)}, {(|0) ± |l))/\/2} and 
{(|0) ± i|l))/\/2}- Although the six-state scheme is more 
complex and generates a key less efficiently, BruB found that 
it tolerates higher noise level than BB84 if Eve attacks each 
qubit individually [8]. In addition to qubit-based schemes such 
as BB84 and the six-state scheme, a number of QKD schemes 
involving higher dimensional as well as continuous systems 
have been proposed [9], [10], [11], [12], [13], [14], [15], [16]. 
Most importantly, studies showed that many schemes involving 
higher dimensional systems result in a lower fidelity of the 
quantum signal than those involving qubits under individual 
particle attack [13], [14], [15], [16], [17]. 

Are these QKD schemes really secure? Is it really true 
that the six-state scheme tolerates higher error level than 
BB84? The answers to these questions turn out to be highly 
non-trivial. Recall that the all powerful Eve may choose to 
attack the transmitted qubits collectively by applying a unitary 
operator to entangle these qubits with her quantum particles. 
In this situation, most of our familiar tools such as law of 
large numbers and classical probability theory do not apply 
to the resultant highly entangled non-classical state. These 
make rigorous cryptanalysis of BB84 and the six-state schemes 
extremely difficult. 

In spite of these difficulties, a few air-tight security proofs 
against all possible eavesdropping attacks for BB84 and the 
six-state scheme have been discovered. Rigorous proofs for 
QKD schemes with better error tolerance capability are also 
found. After a few years of work, Mayers [4] and Biham et al. 
[18] eventually proved the security of BB84 against all kinds 
of attack allowed by the known laws of quantum physics. In 
particular, Mayers showed that in BB84 a provably secure key 
can be generated whenever the channel bit error rate is less 
than about 7% [4]. (A precise definition of bit error rate can 
be found in Def.l^in Subsection llV-AI ) Along a different line, 
Lo and Chau [3] proved the security of an entanglement-based 
QKD scheme that applies up to 1/3 bit error rate by means of a 
random hashing technique based on entanglement purification 
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[19]. Their security proof is conceptually simple and appeal- 
ing. Nevertheless, their scheme requires quantum computers 
and hence is not practical at this moment. By ingeniously 
combining the essence of Mayers and Lo-Chau proofs, Shor 
and Preskill gave a security proof of BB84 that applies up to 
11. 0% bit error rate [20]. This is a marked improvement over 
the 7% bit error tolerance rate in Mayers' proof. Since then, the 
Shor-Preskill proof became a blueprint for the cryptanalysis 
of many QKD schemes. For instance, Lo [21] as well as 
Gottesman and Lo [22] extended it to cover the six-state QKD 
scheme. At the same time, the work of Gottesman and Lo 
also demonstrates that careful use of local quantum operation 
plus two way classical communication (LOCC2) increases the 
error tolerance rate of QKD [22]. Furthermore, they found 
that the six-state scheme tolerates a higher bit error rate than 
BB84 because the six-state scheme gives better estimates for 
the three Pauli error rates [22]. In search of a qubit-based 
QKD scheme that tolerates higher bit error rate, Chau recently 
discovered an adaptive entanglement purification procedure 
inspired by the technique used by Gottesman and Lo in 
Ref. [22]. He further gave a Shor-Preskill-based proof showing 
that this adaptive entanglement purification procedure allows 
the six-state scheme to generate a provably secure key up to 
a bit error rate of (5 - \/5)/10 « 27.6% [23], making it 
the most error-tolerant prepare-and-measure scheme involving 
unentangled qubits to date. 

Unlike various qubit-based QKD schemes, a rigorous se- 
curity proof against the most general type of eavesdropping 
attack on a QKD scheme involving higher dimensional quan- 
tum systems is lacking. Besides, the eiTor tolerance capability 
for this kind of QKD schemes against the most general 
eavesdropping attack is virtually unexplored. In fact, almost all 
relevant cryptanalysis focus on individual particle attack; and 
they suggest that QKD schemes involving higher dimensional 
systems may be more eiTor-tolerant [13], [14], [15], [17]. It 
is, therefore, instructive to give air-tight security proofs and 
analyze the error tolerance capability for this type of schemes. 

In this paper, 1 analyze the security and error tolerance 
capability of a prepare-and-measure QKD scheme involving 
the transmission of higher dimensional quantum systems. In 
fact, this scheme makes use of iV-dimensional quantum states 
prepared and measured randomly in {N + 1) different bases. 
Because of the randomization of bases, the probabilities of 
certain kinds of quantum eiTors in the transmitted signal 
are correlated. This makes the eiTor estimation effective and 
hence the error tolerance rate high. Nonetheless, the high 
error tolerance rate comes with a price, namely, that the 
efficiency of the scheme is lowered. Now, let me first begin by 
briefly reviewing the general assumptions on the capabilities 
of Alice, Bob and Eve together with a precisely stated security 
requirement for a general QKD scheme in Section |ll| Then, 
1 introduce an entanglement-based QKD scheme involving 
the transmission of A^-dimensional quantum systems where 
is a prime power in Section |lll] and prove its security 
against the most general eavesdropping attack in Section IIVI 
By standard Shor and Preskill reduction argument, 1 arrive at 
the provably secure prepare-and-measure scheme in SectionlVl 
Since one may use n possibly entangled qubits to represent 



an A^-dimensional quantum state whenever N — 2", I obtain 
an unconditionally secure prepare-and-measure QKD scheme 
based on entangled qubits. This entangled-qubit-based QKD 
scheme offers a definitive advantage over all currently known 
unentangled-qubit-based ones on combating certain kind of 
eavesdropping strategies. More precisely, there is a specific 
eavesdropping attack that creates a bit error rate too high 
for any unentangled-qubit-based prepare-and-measure QKD 
scheme known to date to generate a provably secure key. 
In contrast, the same eavesdropping attack does not prevent 
this entangled-qubit-based preapre-and-measure scheme from 
producing a provably secure key whenever N > 16. But on the 
other hand, there is another specific eavesdropping attack that 
the entangled-qubit-based scheme cannot generate a provably 
secure key while the unentangled-qubit-based prepare-and- 
measure scheme proposed by Chau in Ref. [23] can. Thus, 
using entangled particles as information carriers is a feasible 
way to generate a secure key under certain drastic eavesdrop- 
ping attack. Lastly, 1 give a brief summary in Section fvTl 

II. General Features And Security Requirements 
For Quantum Key Distribution 

In QKD, we assume that Alice and Bob have access to two 
communication channels. The first one is an insecure noisy 
quantum channel. The other one is an unjammable noiseless 
authenticated classical channel in which everyone, including 
Eve, can listen to but cannot alter the content passing through 
it. We also assume that Alice and Bob have complete control 
over the apparatus in their own laboratories; and everything 
outside their laboratories except the unjammable classical 
channel may be manipulated by the all powerful Eve. We 
further make the most pessimistic assumption that Eve is 
capable of performing any operation in her controlled territory 
that is allowed by the known laws of quantum physics [5], [6]. 

Given an unjammable classical channel and an insecure 
quantum channel, a QKD scheme consists of three stages [2]. 
The first is the signal preparation and transmission stage where 
quantum signals are prepared and exchanged between Alice 
and Bob. The second is the signal quality test stage where a 
subset of the exchanged quantum signals is measured in order 
to estimate the eavesdropping rate in the quantum channel. 
The final phase is the signal privacy amplification stage 
where a carefully designed privacy amplification procedure is 
performed to distill out an almost perfectly secure key. 

No QKD scheme can be 100% secure as Eve may be lucky 
enough to guess the preparation or measurement bases for each 
quantum state correctly. Hence, it is more reasonable to de- 
mand that the mutual information between Eve's measurement 
results after eavesdropping and the final secret key is less than 
an arbitrary but fixed small positive number. Hence I adopt the 
following definition of security. 

Definition 1 (Based on Lo and Chau [3]): With the above 
assumptions on the unlimited computational power of Eve, 
a QKD scheme is said to be unconditionally secure with 
security parameters (e^, e/) provided that whenever Eve has a 
cheating strategy that passes the signal quality control test with 
probability greater than ep, the mutual information between 
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Eve's measurement results after eavesdropping and the final 
secret key is less than ej. 

III. An Entanglement-Based Quantum Key 
Distribution Scheme 

In what follows, I first explicitly construct a unitary operator 
T which plays a pivotal role in the design of the QKD scheme 
in Subsection IIII-AI Then, I make use of the operator T to 
construct the entanglement-based QKD scheme in Subsec- 
tion |m:il 

A. The Unitary Operator T 

In the analysis of certain quantum error correcting codes, 
Gottesman introduced a unitary operator that cyclically per- 
mutes the ax, (Jy and cr^ errors by conjugation [24]. Later 
on, Lo observed that conjugation by the same operator per- 
mutes the three bases used by the six-state scheme, namely, 
{|0), {(|0)± |1))/V2} and {(|0) ±i |1))/V2}. He further 
used the permuting property of this unitary operator to argue 
that the a^, <Jy and Gz error rates of the transmitted quantum 
signals in the six-state scheme are equal [21]. This is an 
important step in the analysis of the error tolerance rate of 
the six-state scheme as it greatly restricts the possible form of 
error in the transmitted quantum signals. 

To devise a highly error-tolerant higher dimensional QKD 
scheme, one naturally asks if it is possible to find a unitary 
operator T that cyclically permutes as many types of single 
quantum register errors as possible by conjugation. In this 
subsection, I am going to show that such an operator T indeed 
exists by explicitly writing down an expression for T. But 
before doing so, I need to introduce a few notations. 

Definition 2 (Ashikhmin and Knill [25]): Suppose a G 
GF{N) where N = with p being a prime. We define 
the unitary operators Xa and Za acting on an iV-dimensional 
Hilbert space by 

Xa\b) = \a + b) (1) 



and 



Za\b)^Xaib)\b)^ul'^'^'''>\b), 



(2) 



where Xa is an additive character of the finite field GF{N), 
Ljp is a primitive pth root of unity and Tr(a) — a + a^ + aP + 
• • • + aP"~' is the absolute trace of a € GF{N). Note that, 
the arithmetic inside the state ket and in the exponent of ujp 
is performed in the finite field GF{N). 

It is easy to see from Definition |2l that {XaZi, : a,b E 
GF{N)} spans the set of all possible linear operators for an 
A^-dimensional quantum register over C. Besides, Xa and Zi, 
follow the algebra 



XaXh — XhXa 



Zn.Zh — ZhZn 



X. 



a+b-i 



Zn 



and 



ZhXn 



(3) 
(4) 
(5) 



for all a,b E GF{N), where arithmetic in the subscripts is 
performed in GF{N). 

Let r be a linear operator acting on an A^-dimensional space 
where N = p" is a prime power Inspired by the permuting 
property of the unitary operator used by Lo in the security 
proof of the six-state scheme [21], one naturally demands that 
T-'XaZ,T 
The factor wf'"'''^ G 



Xa'(a,b)Zb'ia,b) for all a,b G GF(iV). 
sfying jo^p^"'''''! = 1 is sometimes 
known as the global phase because it simply multiplies a 
quantum state by a phase independent of that state. In order 
for T to cyclically permute as many XaZ^'s as possible, one 
may demand that 



a' 
b' 



a (3 
P 1 



M{T) 



(6) 



for all a,5 G GF{N), where a, ^ and 7 G GF{N). I shall 
simply denote M{T) by M in this paper when the map T is 
clearly known to readers. 

The phase factor lo^}"''^'^ and the matrix M (T) cannot 
be arbitrarily chosen. To show this, I use Eqs. (|3}-(|6} to 
manipulate the expression Xa+cZb+dT . On the one hand. 



equals 



f\a+c,b+d) 



TX(^a+c)a+{b+d)l3Z(^a+c)l3+{b+d)-i- 



On the other hand, it equals 

_ , ,/(c,<i)-Tr(6c) y rpy- 7 
— vVaZvfji ^ca+dp'^cP+d-) 

Tr([a/3+67][ca+d/3]-6c) „^ 

UJ-n 1 



-Tr(bc) 



(a+c)a+(h+d)/3^(Q+c)/3+(6+(i)7- 

Therefore, T is well-defined if and only if the phases in 
the above two ways of expressing Xa+cZb+dT agree for all 
a, 6, c, d G GF{N). 

It is tedious but straight-forward to check that the following 
three constraints (Eqs. 0-(|9|l) plus the three phase conven- 
tions (Eqs. ( I10> - (I12> ') make the expressions in the above 
paragraph consistent and hence the linear map T well-defined: 



XaZi,XcZdT 

, f{a,b)+f{c.d) 



XaZ(,T = U!^^°''''^TXaa+bl3Zal3+b'y 



(7) 



(8) 



and 



f(a, b) = -Tr{f3[a^a + b'^j]) + TT{abp^ + 

Sp2/3^9i9j[aiaja + bibj'y]) (9) 
i>j 

for all a,6 G GF{N). Note that in Eq. a = Er=i "^5* 
and b — X^ILi ^i9i where {(71,32, ■ • • is a fixed basis of 
GF{N) over the field GF{p) and ai,bi G GF{p). Moreover, 
5p2 in the above equation is the Kronecker delta. 

Two important remarks are in place. First, when p > 2 
and hence N is odd, 2 is invertible in GF{N). Consequently, 
global phase Wp*^"''''' may be chosen from pth roots of unity. 
Following this convention, I demand 

/(a, b) G Z/pZ for any a, 6 G GF{N) if 2 }{N. (10) 

In contrast, when p = 2 and hence N is even, 2 is not 
invertible in GF{N). In this case f{a,b) may be integral or 
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half-integral. Consequently, w/^"'''^ e {±l,±i}. In this case, 
I use the convention that 



Tr(a/3afg|)/2 



1 if Tr{al3a]g]) = 0, 
i if TriaPa]g]) = 1, 



and 



ifTr(/3762g2) 
ifTr(/3762g2) 



= 0, 
= 1, 



(11) 



(12) 



for all aj,bj € GF{p), where j — 1,2, . . . ,n. 

The second remark concerns the reason why we have the 
last term in Eq. (|9}. Recall that the identity Tr(a^ + a'^)/2 + 
Tr(aiaj) = Tr([ai + aj]^)/2 holds only forp > 2. In contrast, 
Tr(af + aj) ~ Tr([ai + flj]^) for p = 2. So, I cannot use the 
first identity to absorb the last term in Eq. (|9jl into the first 
term when p ~ 2. 

Lemma 1: A linear operator T obeying Eqs. (r7t-( ll2> is 
unitary after a proper scaling. Specifically, T is unitary if and 
only if its operator norm satisfies ||T|| = 1. 

Proof: I only need to show that ||T|| = 1 is a sufficient 
condition as this condition is clearly necessary. Eqs. 0- 



O lead to XaZbTT^ = 



f{a,b)-Tii[aa+bp][aP+b^])rpy^ -^t T^t 

^ ^-afj-bj^-aa-bfS-'- 



TXaa+bpZafj+bjT^ — 



f{a,b)+f{-a,-b)-Tr{P[a^a+b^'f])-2Tr(abl3^)rj,rpJf^ ^ 

TT^XaZb for all a,b e GF(N). By the same argument, 
XaZbT^T = T^TXaZb for all a,5 e GF{N). Since 
T acts on a finite dimensional Hilbert space and 
{XaZb : a,b E GF{N)} spans the set of all linear 
operators on that Hilbert space, TT^ and T^T are constant 
multiples of the identity operator Therefore, ||T|| — 1 implies 
TTt = / = Ttr. Hence, T is unitary. ■ 

In order to fully utilize the error tolerance capability of 
an A^-dimensional QKD scheme, T should satisfy one more 
constraint, namely, the order of T must be as large as possible. 
The theorem below gives us an attainable upper bound for the 
order of T. 

Theorem 1: There exists a unitary operator T satisfying 
the constraints Eqs. 0-(|9}, the phase conventions stated in 
Eqs. (fTol-O as well as the condition that /, T, T^, . . . , 
are distinct operators up to a global phase. (That is, for all 
< i < j < iV and 6* e M, 7^ e^^T-?.) Furthermore, the 
order of T up to a global phase satisfying Eqs. (I7t- (I12> is at 
most [N +1). Suppose further that {gi, (72, • ■ • , 5n} is a fixed 
basis of GF{N) over GF{p), then T is given by 



N ^ 

a,bGGF(N) 

for some e M, where 



Tiivl{a,b))-^Tv{^2{aM)) 
OJp y^a^b 



(13) 



ipi{a,b) 
1 



r{/33(7-l)a'-(7-l)[("-l)' + 



{2- a- 7)2 
P^{2a - l)]ab + f3[a"fia - 1) + 7 - Ijfe^} + 
5p2P'^gigj{a^aja + bibj^) (14) 



and 



V2{a,b) 



(2- a -7)2 



[(a + 7 - 2a"f){a^ + 2/3a6 + 6^) + 



(15) 



Note that all the arithmetic in the above two equations are 
performed in the finite field GF{N). Besides, in Eq. MAI . 
di,bi e GF{p) are the unique solutions of the equations 



and 



n 



(7-l)a-/3b 
2 — a — 7 

{a-l)b- f3a 
2 — a — 7 



(16) 



(17) 



Proof: From Eqs. (|6} and (|8}, I know that the order of 
T up to a global phase is equal to the order of AI = M(T). 
Combining with Eq. 0, the characteristic equation of M is 
Char(A/) = - (a + 7)A + 1. If Char(A/) is reducible in 
GF{N), the order of M and hence also the order of T up to 
a global phase are at most {N — 1). So, to construct T with 
a larger order, I must look for Char(Af) that is irreducible 
in GF{N). Nevertheless, a degree two irreducible polynomial 
over GF{N) splits in GF{N'^). Since the constant term of 
Char(A/) is 1, the roots of Char(Af ) = over GF{N^) can 
be written as ^ and respectively. Since 01 + 7 € GF{N), I 



conclude that ^ + ^ 



-l\N 



N 



— N 



Therefore, 



(^w+i _ _ 1) = 0. However, ^ ^ GF{N) and 

hence ^^^^ = 1. In other words, the order of the irreducible 
polynomial Char(Af) and hence the order of T up to a global 
phase both divide {N + 1). More importantly, since N ^ 
1 mod {N + 1) and = 1 mod {N + 1), Theorem 3.5 in 
Ref. [26] assures the existence of an order (iV + 1) irreducible 
polynomial in the form + cA + 1 over GF{N). (Actually, 
Theorem 3.5 in Ref. [26] implies that A^ + cA+l is irreducible 
over GF{N) if and only if it is equal to (A + + C"^) 
for C e GF{N^)\GF{N) with ^^+1 = 1. Hence, such 
irreducible polynomials can be found efficiently.) 

It remains to show that there exists T whose order of the 
corresponding characteristic polynomial Char(Af (T)) equals 
{N + 1). I divide the proof into two cases. 

Case l:p = 2orj5=l mod 4 where N — p". In this 
case, I simply pick a = 0, 7 = — c and f3 — (— l)^/^^ (Such a 
P G GF{N) exists because = — 1 mod p is solvable when 
p = 2 or p is a prime satisfying p = 1 mod 4.) Then, it is 
easy to check that Eq. Q is satisfied and hence T exists. 

Case 2: p > 2. In this case, I pick a = 1, 7 = — c — 1. In 
this way, = -c- 2 = ^ + ^"1 - 2 = -(^ - l)(C"i - 1) = 
(? - 1)^^"^- Hence, I choose (3 = - 1)^"^/^ = ^^/^ - 
^~^/2 (^1/2 exists since p is an odd prime and ^^+1 = 1 so 



that ^ 



^ where k is a primitive element in GF{N'^ 



i>j 



Moreover, /? e GF{N) since (^1/2 - ^-1/2)^ 

^-N/2 ^ _^-l/2 +^1/2 ) 

Now, I am ready to explicitly construct T. To do so, I write 
^ = Y.a,beGF{N) KbXaZb for somc Kab e C. From Eq. (HJl, 
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AT 

iv 


M{T) 


1 


2 




1 

1 1 




i (/ - iXi - iZi +XiZi) 


3 




" 1 1 
1 2 




i.j=0 


4 




1 

1 Ul 




i ^ (_l)-Tr(^[i+j])/2+Ti(i+:i)+%j_i^.^^ 
^i,jeGF(4) 



TABLE I 

The choices of T and M (T) for = 2, 3 and 4. Note that 
g gf(4) satisfies cj^ + + 1 = and i have used {1, lu] as the 
basis of gf(4) over gf{2) when constructing t for af = 4. 



I conclude that 



^/(a.6)+Ti-([aa+fc/3]{i-Q/3-fc[7-l]}-6i) ^ 



A 



i-a(a-l)-fc/3 j'-a/3-b(7-l) 



AZc and T-^' XaZ^T^' = K'Z^, for A, A' e C and c 7^ c' e 
Gi^(iV). 

Proof: Direct application of Lemma 121 ■ 

Definition 3: T defines an equivalent relationship for 
GF{N)'^ by (a, 6) - (a', 6') if there exists i e N and 
A e C\{0} such that T-'XaZtT' = AXa'Zi,,. I denote 
elements in the corresponding equivalent class by (a, b)/ ~. 

Corollary 2: There are N elements in the equivalent class 
GF{Nf/ Besides, |(a, 6)/ - | = iV + 1 if (a, 6) ^ (0, 0). 
For every a E GF{N), there exists at most two distinct b, h' e 
GF{N) such that (a, 6) (a, 6')- Furthermore, if p > 2, 
b ^b' and cy^ 0, then (0, c) - (a, 6) - (a, 6') a = if 
and only if iV = 3. If p = 2, (0, 6) - (0, b') imphes b = b'. 
In addition, suppose that p = 2 and o ^ 0. Then, for any 
b e GF{N), there exists c = c(6) such that (0, a) ~ (6, c). In 
(18) summary, GF[Nf/ -= {(0,a)/ a S GF{N)} if p = 2. 



for all a,b,i,j E GF{N). Since the order of T is greater 

' a - 1 /3 
/3 7-1 
= a(i, j) and 



than 1, M{T)-I = 
can choose suitable a 



is invertible. Hence, I 

: b{i,j) in Eq. (dl to 
relate every Kij to Aqo- In this way, I conclude that every 
Kij is proportional to Aqo- Besides, all |Ay|'s are equal. 
Consequently, the unitarity of T implies that |Aoo| = 
By explicitly substituting a, b into Eq. ( I18t and after a tedious 
but straight-forward calculation, I arrive at Eqs. ( I13> -( I17> . ■ 

The explicit construction of the operator T in the above 
proof also shows that once the 2x2 matrix M{T) and the 
primitive root LOp are fixed, T is uniquely determined up to a 
global phase and a convention for ujI'"°"^\ 

For illustration purpose, the choices of M(T)'s and hence 
the unitary operators T's for N = 2,3,4 computed by 
Eqs. ( I10> - (I17> are tabulated in Table HI Incidentally, the unitary 
operator T listed in Table|l]for = 2 is, up to a global phase, 
the same as the one used by Lo in his security proof of the 
six-state scheme in Ref. [21]. 

Now, I report several important properties of T and M{T) 
that will be used in the security proof of this QKD scheme in 
Section Bvl 

Lemma 2: Suppose the order of M{T) equals (A^+1), then 
M{T)^ is in the form al for some a G GF{N) if and only 
if (1) p = 2 and {N + l)|fc; or (2) p > 2 and [{N + l)/2]|fc. 
In fact, if p > 2, M(T)(^+i)/2 = -/. 

Proof: Since Char(M (T)) = + cA + 1, M (T) can be 
written in the form P^^DP where D = diag(f,(^^^) where 
i e GF{N^) and C^+i ^ 1. Hence M(r)'= = al if and only 

if C^fc = 1. If p = 2, C^fc ^ ^ ^fe ^ ;^ ^ _^ ^jjj 

if p > 2, = 1 4=» C'' = ±1 ^ [(A^ + l)/2]|fc. Moreover, 
= -1 if and only if fc = [{N + 1) /2] mod (N + 1). ■ 

Corollary 1: The period of the sequence {T^^XaZbT^ : 
fc G N} up to global phases equals [N + 1) whenever a, 6 G 
GF{N) are not all zero. Furthermore, if p = 2, there is exactly 
one < fc < with T'^XaZbT^ = AZ^ for some A e C 
and c e GF{N). If p > 2, either p-^XaZbT^ ^ KZ^ for all 
k or there are two distinct < k,k' < N with T'-^XaZr.T^ = 



On the other hand, if p > 2, there are [N — l)/2 elements 
of GF{NY / ^ each containing two distinct elements in the 
form (0,5). 

Proof: By writing 



M[T) 



e 




p 



-1 



e 




f3 e- 

f3 



(19) 



then (a, b) ^ (a, b') if and only if there exists k such that 

^'^ 



e 



-fc 



P 



= P 



a 
b' 



(20) 



By eliminating k from the above equation, I obtain a quadratic 
equation involving variables a, b and b' . Thus, for a given a, b, 
there are at most two distinct b' satisfying Eq. ( I20t . Hence, 
for every a e GF{N), there are at most two distinct b, b' E 
GF{N) with (a, 6) - (a,fe')- 

Now suppose p > 2, b b' and c ^ 0. If (0, c) ~ (a, 5) ~ 
(a, 6'), there exist two distinct integers k, k' 
that M''[0 cf = [a bf and M'='[0 c]^ = [ 
Eq. ( I19t to equate the first rows of the above two equations. 



E [0,7V] such 
a b']'^. Using 



I obtain ^ — ^fc _^ fjjg solution of this equation 
is ^'^ = ^'^ or = —1. Since p > 2, Lemma |2] demands 

that fc = fc' mod (A^ + 1) or fc + fc' = [(TV + l)/2] mod (N + 
1). As N is odd, there are at most two solutions for 2fc = 
[(TV + l)/2] mod (N + 1). Thus, provided that > 3, there 
exist more than two pairs of (fc, fc') such that fc 7^ fc' and 
k + k' = [{N+ l)/2] mod (A^ + 1). Hence, there exist b ^ b' 
such that (0, c) ~ (a, b) ~ (a, b') for a 7^ 0. In contrast, if 
N ^ 3, (0,2) and (2,0) are the only two pairs of (fc,fc') 
satisfying fc 7^ fc' and fc + fc' = 2 mod 4. From Lemma |2l 
AP = -/ when A^ = 3. Hence, (a, 6, 6') equals (0,1,2) or 
(0, 2, 1). Therefore, (0, c) ~ (a, 6) ~ (a, 6') ^ a = 0. 

The remaining assertions then follow directly from Corol- 
lary [T] ■ 
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B. An Entanglement-Based QKD Scheme 

Let be a prime power and T be the order (A^ + 1) unitary 
operator described in Theorem ^ in Subsection IIII-AI Then, 
the QKD scheme goes as follows. 

Entanglement-based QKD Scheme A 

1) Alice prepares L ^ 1 quantum particle pairs in the state 
J2ieGF{N) N*)/V^- She applies one of the following 
unitary transformation to the second particle in each 
pair randomly and independently: I,T,T^, . . . , . For 
every pair of particles, Alice keeps the first one and 
sends the second one to Bob. He acknowledges the 
reception of these particles and then applies one of 
the following to each received particle randomly and 
independently: /"i, T"!, T'^, . . . , T"^. Now, Alice 
and Bob publicly reveal their unitary transformations 
applied to each particle. A shared pair is then kept and 
is said to be in the set Si if Alice and Bob have applied 
T' and T^* to the second particle of the shared pair 
respectively. Thus in the absence of noise and Eve, each 
pair of shared particles kept by Alice and Bob should 
be in the state Y.ieGF(N) 1")/%/^- 

2) Alice and Bob estimate the (quantum) channel error 
rate by sacrificing a few particle pairs. Specifically, they 
randomly pick 0{[N + 1]^ \og{[N + l]/e}/5^N^) pairs 
from each of the [N + 1) sets Si and measure each 
particle of the pair in the {|0), • ' ' 1 1-^ ^ 1)} basis, 
namely the standard basis. They publicly announce and 
compare their measurement results. In this way, they 
know the estimated channel error rate within standard 
deviation 5 with probability at least (1 — e). (Detail proof 
of this claim can be found in Ref. [2]. A brief outline 
of the proof will also be given in Subsection IIV-BI for 
handy reference.) If the channel error rate is too high, 
they abort the scheme and start all over again. 

3) Alice and Bob perform the following privacy amplifi- 
cation procedure. (Readers will find out in Section IIVI 
that stepl^ajbelow reduces errors in the form XaZf, with 
a 7^ at the expense of increasing errors in the form 
with c 7^ 0. In contrast, step I3bl below reduces errors in 
the form XaZi, with 6 7^ at the expense of increasing 
errors in the form Xc with c 7^ 0. Most vitally, applying 
steps |3a| and |3b] in turn is an effective way to reduce all 
kinds of errors.) 

a) Alice and Bob apply the entanglement purifica- 
tion procedure by two way classical communi- 
cation (LOCC2 EP) similar to the ones reported 
in Refs. [19], [27]. Specifically, AHce and Bob 
randomly group their remaining quantum particles 
in tetrads; and each tetrad consists of two pairs 
shared between Alice and Bob in Step ^ Alice 
randomly picks one of the two particles in her 
share of each tetrad as the control register and 
the other as the target. She applies the following 
unitary operation to the control and target registers: 

|*)control ® |j)tai-get ' * |i)control ® \i ~ *)target5 (21) 



where the subtraction is performed in the finite 
field GF{N). Bob applies the same unitary trans- 
formation to his corresponding share of particles 
in the tetrad. Then, they publicly announce their 
measurement results of their target registers in 
the standard basis. They keep their control regis- 
ters only when the measurement results of their 
corresponding target registers agree. They repeat 
the above LOCC2 EP procedure until there is 
an integer r > such that a single application 
of step |3j' will bring the quantum channel error 
rate of the resultant particles down to less than 
e/ /l"^ for an arbitrary but fixed security parameter 
e/ > 0, where is the number of remaining pairs 
they shared currently. They abort the scheme either 
when r is greater than the number of remaining 
quantum pairs they possess or when they have used 
up all their quantum particles in this procedure, 
b) They apply the majority vote phase error correction 
(PEC) procedure introduced by Gottesman and Lo 
[22]. Specifically, Alice and Bob randomly divide 
the resultant particles into sets each containing r 
pairs of particles shared between Alice and Bob. 
Alice and Bob separately apply the [r, 1, rjjv phase 
error correction procedure to their corresponding 
shares of r particles in each set and retain their 
phase error corrected quantum particles. At this 
point, Alice and Bob should share £ almost per- 
fect pairs X/iGGF(7V) N*)/ with fidelity at least 
(1 — e//^). By measuring their shared pairs in the 
standard basis, Alice and Bob obtain their common 
key. More importantly. Eve's information on this 
common key is less than the security parameter e/. 
(Proof of this claim can be found in Theorem |4] in 
Subsection llV-Cl below.) 

Note that when N = 2, Scheme A is a variation of 
the six-state scheme introduced by Chau in Ref. [23]. The 
key difference is that the present one does not make use of 
Calderbank-Shor-Steane quantum code after PEC while the 
former one does. 

IV. Cryptanalysis Of The Entanglement-Based 
Quantum Key Distribution Scheme 

In this section, I am going to report a detail unconditional 
security proof of Scheme A in the limit of large number of 
quantum particle L transmitted. I will also investigate the 
maximum error tolerance rate for Scheme A against the most 
general type of eavesdropping attack allowed by the laws 
of quantum physics. With suitable modifications, the security 
proof reported here can be extended to the case of a small 
finite L. Nevertheless, working in the limit of large L makes 
the asymptotic error tolerance rate analysis easier. 

Before carrying out the cryptanalysis, I will first define 
various error rate measures and discuss how to fairly compare 
error tolerance capabilities between different QKD schemes 
in Subsection IIV-AI Then, I will briefly explain why a re- 
liable upper bound of the channel error can be obtained by 
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randomly testing only a small subset of quantum particles 
in step 12 of Scheme A in Subsection IIV-BI Finally, I will 
prove the security of the privacy amplification procedure in 
step |3] of Scheme A and analyze its error tolerance rate in 
Subsection llV-CI This will complete the proof of unconditional 
security for entanglement-based Scheme A. 

A. Fair Comparison Of Error Tolerance Capability And Var- 
ious Measures Of Error Rates 

Definition 4: Recall that Alice prepares L particle pairs 
each in the state X]ieGF(Ar) and randomly applies 

powers of T to each pair Denote the resultant (pure) state 
of the pairs by Then, she sends one particle 

in each pair through an insecure quantum channel to Bob; 
and upon reception. Bob randomly applies powers of T to 
his share of the pair. The channel quantum error rate in 
this situation is defined as the marginal error rate of the 
measurement results when Alice and Bob were going to 
make an hypothetical measurement on the jth shared quantum 
particle pair in the basis {XaZi, (g) I\(j>j) : a,b E GF{N)} for 
all j. In other words, the channel quantum error rate equals 
1/L times the expectation value of the cardinality of the set 
{j : hypothetical measurement of the jth pair equals XaZf,® 

with (a,6) (0,0)}. The channel standard ba- 
sis measurement error rate is defined as 1/L times 
the expectation value of the cardinality of the set 
{j : hypothetical measurement of the jth pair equals XaZi,® 

with a ^ 0}. The next two definitions concern only 
those quantum particle pairs retained by Alice and Bob in 
Uj Si. (That is, those Alice and Bob have applied and 
T^^ to the second particle of the shared pair for some j re- 
spectively.) In the absence of noise and eavesdropper, all such 
particle pairs should be in the state X]i:eGi="(A') l")/v^- The 
signal quantum error rate (or quantum error rate (QER) for 
short) in this situation is defined as the expectation value of the 
proportion of particle pairs in [J - Si whose measurement result 
in the basis {E»gGF(7V) \i) <S> XaZb\i)/^/N : a,b e GF{N)} 
equals J2ieGF{N) \i) <^XaZb\i) /Vn for some (a, 6) ^ (0,0). 
The signal standard basis measurement error rate (or 
standard basis measurement error rate (SBMER) for short) 
is defined as the expectation value of the proportion of 
particle pairs in IJ^ Si whose measurement result in the basis 
{E^eGF(N)\^) XaZb\t)/VN : a,b e GF{N)} equals 
J2ieGF{N) \^)'^^aZb\i) /Vn for some a 7^ 0. In other words, 
SBMER measures the apparent error rate of the signal when 
Alice and Bob measure their shares of particles in the standard 
basis. In the special case of = 2", any standard basis 
measurement result can be bijectively mapped to a n-bit string. 
Thus, it makes sense to define the signal bit error rate (or 
bit error rate (BER) for short) as the marginal error rate of 
resultant ri-bit string upon standard basis measurement of the 
signal at the end of the signal preparation and transmission 
stage. 

Three important remarks are in place. First, SBMERs and 
BERs for QKD schemes using quantum particles of different 



dimensions as information carriers should never be com- 
pared directly. This is because the quantum communication 
channels used are different. In addition, the same eavesdrop- 
ping strategy may lead to different error rates [13], [14], 
[15], [16], [17]. It appears that the only sensible situation 
to meaningfully compare the error tolerance capabilities of 
two QKD schemes is when the schemes are using the same 
quantum communication channel and are subjected to the 
same eavesdropping attack. Specifically, suppose Alice re- 
versibly maps every ^"-dimensional quantum state used in 
Scheme A into n possibly entangled p-dimensional quantum 
particles and sends them through an insecure p-dimensional 
quantum particle communication channel to Bob. Moreover, 
since we assume that Alice and Bob do not have quantum 
storage capability, it is reasonable to regard Alice to send 
every packet of n possibly entangled p-dimensional quantum 
particles consecutively. In this way. Scheme A becomes an 
entangled-particle-based QKD scheme. More importantly. Eve 
may apply the same eavesdropping attack on the insecure p- 
dimensional quantum particle channel used by Alice and Bob 
irrespective of n. In this way, I can fairly compare the er- 
ror tolerance capability between two entangled-particle-based 
QKD schemes derived from Scheme A using p"- and p" - 
dimensional particles respectively against any eavesdropping 
attack on the p-dimensional quantum particle channel. 

Second, the BER defined above for N = 2" with n > 1 
depends on the bijection used. Fortunately, a useful lower 
bound on the BER can be found amongst all bijections 
immediately before Eq. ( I46> in Subsection IIV-CI 

Third, since quantum errors in the form XaZi, with (a, b) 7^ 
(0, 0) permute under the conjugation by powers of T, the 
channel quantum error rate is equal to the QER of the signal. 
Roughly speaking, QER refers to the rate of any quantum 
error (phase shift and/or spin flip) occurring in the pair 
Sj:eGF(A') 1")/"^/^ shared by Alice and Bob. In contrast, 
due to the permutation of quantum errors by powers of T, 
the channel standard basis measurement error rate does not 
equal to the SBMER in general. 



B. Reliability On The Error Rate Estimation 

In Scheme A, Alice and Bob keep only those particle pairs 
that are believed to be in the state X^iggfCW) I")/v^ at 
the end of step Q Then, they measure some of them in the 
standard basis in the signal quality control test in step |2] 
More importantly, since all the LOCC2 EP and PEC privacy 
amplification procedures in step |2 map standard basis to 
standard basis, we can imagine conceptually that the final 
standard basis measurements of their shared secret key were 
performed right at the beginning of step |3l In this way, any 
quantum eavesdropping strategy used by Eve is reduced to a 
classical probabilistic cheating strategy [3]. 

Further recall that in step|2 Alice and Bob do not care about 
the measurement outcome of an individual quantum register; 
they only care about the difference between the measurement 
outcome of Alice and the corresponding outcome of Bob. In 
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other words, they apply the projection operators 

Pa= J2 \hi + a) {i,i + a\ (22) 

ieGF(N) 

to the randomly selected quantum registers they share in 
the set Sq. These projection operators can be rewritten in 
a form involving Bell-like states as follows. Define |$ab) 
to be the Bell-Uke state J2teGF{N) N) ® XaZb\i)/VN = 

J2ieGF{N) ^p'^^^^ \h i + o) /VN. Then the projection operator 
Pa can also be written as 

Pa^ \^a^){^a^\■ (23) 

ieGF(N) 

In a similar way, Alice and Bob apply the projection operators 
T^''PaT^ to the set Si for all i. Now, it is straight-forward 
to check that the unitary operator T maps Bell-like states to 
Bell-like states. Combining with Eqs. i22\ and ( I23> . the signal 
quality control test in step |2] of Scheme A can be regarded as 
an effective random sampling test for the fidelity of the pairs 
as |$oo) = E»eGF(JV) \n)/VN. 

At this point, classical sampling theory can be used to esti- 
mate the quantum channel error and hence the eavesdropping 
rate of the classical probabilistic cheating strategy used by Eve 
as well as the fidelity of the remaining pairs as |$oo)- 

Lemma 3 (Adapted from Lo, Chau and Ardehali [2]): 
Suppose that immediately after step [2 in Scheme A, 
Alice and Bob share Li pairs of particles in the set Si, 
namely, those particles that are evolved under and then 
T~'. Suppose further that Alice and Bob randomly pick 
0(log[l/e]/5^) < O.Olii out of the Li pairs for testing 
in step 121 Define the estimated channel standard basis 
measurement error rate ii to be the portion of tested pairs 
whose measurement results obtained by Alice and Bob differ. 
Denote the channel standard basis measurement error rate for 
the set Si by e.^. Then, the probability that je^ — e^j > S is of 
the order of e for any fixed S > Q. 

Proof: Using earlier discussions in this subsection, the 
problem depicted in this lemma is equivalent to a classical 
random sampling problem without replacement whose solution 
follows directly from Lemma 1 in Ref. [2]. ■ 

Lemma|3lassures that by randomly choosing 0(log[l /e]/d'^) 
out of Li pairs to test, the unbiased estimator ii cannot differ 
from the actual channel standard basis measurement error rate 
ei significantly. More importantly, the number of particle pairs 
they need to test is independent of Li. Therefore, in the limit 
of large Li (and hence large L), randomly testing a negligibly 
small portion of quantum particle pairs is sufficient for Alice 
and Bob to estimate with high confidence the channel standard 
basis measurement error rate in the set Si [2]. In addition, the 
QER of the remaining untested particle pairs is the same as 
that of Si in the large L limit. 

Theorem 2: Using the notation in Lemma|3] X]i!=o ^i/-^ 
a reliable estimator of the upper bound of the QER. Specifi- 
cally, the probability that the QER exceeds J2iLo ei/N+{N+ 
1)5 /N is less than t{N + 1). 



Proof: Recall that Eve does not know the choice of 
unitary operators applied by Alice and Bob in step in 
Scheme A. Hence, in the limit of large L, the XaZi, error 
rate in the set 5*0 is equal to that of T^^XaZ^T^ in the set 
Sk- Therefore, this theorem follows directly from Corollary [2 
and Lemma |3] ■ 

To summarize, once the signal quality control test in step|2] 
of Scheme A is passed, Alice and Bob have high confidence 
(of at least (1 — e)) that the QER of the remaining untested 
particle pairs is small. 

Before leaving this subsection, I would like to point out 
that one can estimate the QER in a more aggressive way. 
Specifically, Alice and Bob do not simply know whether the 
measurement results of each tested pair are equal, in fact 
they know the difference between their measurement results 
in each tested pair. They may exploit this extra piece of 
information to better estimate the probability of XaZi, error 
in the signal for each a,b G GF{N). Such estimation helps 
them to devise tailor-made privacy amplification schemes that 
tackle the specific kind of error caused by channel noise and 
Eve. While this methodology will be useful in practical QKD, 
I shall not pursue this direction further here as the aim of 
this paper is the worst-case cryptanalysis in the limit of large 
number of quantum particle transfer L. 

C. Security Of Privacy Amplification 

Definition 5: We denote the XaZt, error rate of the quantum 
particles shared by Alice and Bob just before step |3] in 
Scheme A by Ca.b- And when there is no possible confusion in 
the subscript, we shall write Cab instead of Similarly, we 
denote the XaZi, error rate of the resultant quantum particles 
shared by them after k rounds of LOCC2 EP by e^^^ or e\^^ . 
Suppose further that Alice and Bob perform PEC using the 
[r, l,r]]v majority vote code after k rounds of LOCC2 EP. 
We denote the resultant XaZi, error rate by e™^'^ or e^^"-". 

Recall that Alice and Bob randomly and independently 
apply T* and to each transmitted quantum register. 

More importantly, their choices are unknown to Eve when 
the quantum particle is traveling in the insecure channel. 
Let 8 be the quantum operation that Eve applies to the 
quantum particles in the set Ui^o*^*- other words, E is 
a completely positive convex-linear map acting on the set of 
density matrices describing the quantum particle pairs to which 
Alice and Bob has applied and T^^ respectively for some 
j. Moreover, the trace of £ is between and L) After Alice 
and Bob have publicly announced their choices of quantum 
operations, the quantum particle pairs in IJ^q Si had equal 
chance of suffering from {(E)jT~'^^)£{^jT^^) where < ij < 
N. Note that the index j in the tensor product in the above 
expression runs over all particles pairs in IJ^q Si. Besides, 
the privacy amplification procedure in step is performed 
irrespective to which set Si the particle belong to. Therefore, 
the QER satisfies the constraints 

J2 = 1 (24) 

i,jeGF{N) 
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and 



eab 



Ca'b' if (a, 6) {a',b'). 



(25) 



After knowing the initial conditions for the QER, I am going 
to investigate the effect of LOCC2 EP on the QER. 

Lemma 4: In the limit of a large number of transmitted 



quantum registers, e^f^ is given by 



, ^a.h—CQ — ci c 



E 



i£GF{N) 



jeGF{N) '^iJ 



2fc 



,feEP 



(26) 

for all a, 6 e GF{N) 



Moreover, in this limit, e*f' — _^ 
and fc e N. 

Proof: Suppose the control and target registers in Bob's 
laboratory suffer from XaZf, and Xa'Zi,/ errors respectively. 
(In contrast, those in Alice's hand are error-free as they never 
pass through the insecure noisy channel.) Then after applying 
the unitary operation in Eq. (12 1> . the errors in the control 
and target registers will become XaZb+i,/ and Xa'-aZb' 
respectively. 

In the limit of large number of transmitted quantum regis- 
ters, the covariance between probabilities of picking any two 
distinct quantum register tends to zero. Besides, the covariance 
between probabilities of picking any two distinct pairs of 
quantum registers also tends to zero. Hence, in this limit, the 
expectation value of the X^Zt error rate just after applying the 
unitary operation in Eq. (I21> can be computed by assuming 
that the error in every control and target register pair is 
independent. Moreover, the variance of the XaZt, error rate 
tends to zero in this limit. 

To show that Eq. (I26> is valid, let us recall that Alice and 
Bob keep their control registers only when the measurement 
results of their corresponding target registers agree. In other 
words, they keep the control registers only when a ~ a' . Thus, 
once the control register in Bob's laboratory is kept, it will suf- 
fer an error XdZc where d = a and c = b+b'. Therefore, in the 
limit of a large number of transmitted quantum registers, the 
number of quantum registers remains after (fc + 1) rounds of 



LOCC2 EP is proportional to J2teGF{N)iJ2jeGF{N) % ) ■ 
Similarly, the number of quantum registers suffering from 
XaZb error after + 1) rounds of LOCC2 EP is proportional 
J2ceGF{N) '^ac^^ajf-c- Morc importantly, the two propor- 
tionality constants are the same. Therefore, 



(fc+l) EP 



kEP kEP 



ceGF{N) ^ac ^a,b-c 



E 



ieGF(JV) 



„feEP 
jeGF(JV) ^io 



(27) 



for all fc e N. Eq. (I26> can then be proven by mathematical 
induction on fc. (It is easier to use mathematical induction to 
prove the validity of the numerator in Eq. M6\ and then use 
Eq. (I24> to determine the denominator.) 



To show that e^^^ 



,fcEP 



eZh' = s'-'i^'-b^ I only consider the 



case of p > 2 since the assertion is trivially true when 
p — 2. From Corollary |2] and Eq. (I25> . we have eab — 
e-a.-b- Inductively, assuming the validity of the asser- 
tion for fc, then e^j^^^"*^^ = J2c 

E 



k EP 

ceGF{N) ^-a,-c<^ 



''ab 
ofcEP 



cfeEP /n — 



fcEP^fcEP /jj^ 

(fc+i)EP 



^ceGN{N) ^ac ^a,b 



-a, — b 



where Dh = 



E 



ieGF{N) GF(N) 



e^^^Y- Hence, the lemma is proved. 



Eq. ( I26> in Lemma |3 can be expressed in a more compact 
and useful form below. 

Corollary 3: Any element a e GF{N) = GF{p'"-) can be 
expressed as a degree {n — 1) polynomial qq + aix + • • • + 
a„_ix"^^ in GF{p)[x]. With this notation in mind, ejj^^ in 



Eq. (I26> can be rewritten as 



ofcEP 
^ab 




E 



Bai COS 



jeGFiN) 



ieGF{N) \jeGF{N) 



(28) 



In particular, if Cab satisfies 

1 - eoo 

Bab 



if (a, 6) ^(0,1), 



N + 1 

if (a, 5) 7^ (0,0) and (0,1), 



(29) 



then for p — 2, 



pfeEP 
-00 



fcEP 
^01 



(eoo + eoi)^ +(600-601)^^ 

2[(eoo + eoi)2' + Y.i^oiT.jeGF{N) ' 

(epo + epi)^'' - (epo - epi)^" 
2[(eop + epi)2" + J2i^oiJ2jeGF(N) 



and 



egfP = for 6 7^ 0, 1. 



(30) 



(31) 



(32) 



Proof: The numerator of Eq. i26\ is equal to the sum 
of coefficients of the terms in the form ■■■x™2i^ 
in the polynomial {J2jeGF{N) (^ajX^" x{' ■ ■ ■ xl;;Si)'^'' 
where = — bi mod p for all i. This sum is in 

turn equal to V -. p-i X(7 a;„ ''V^ 

iJ2jeGF{N) ^ajxi° ■ ■ ■xi"sl)^'' /N. Since the imaginary part 
of the above sum is zero, I arrive at the expression in Eq. ( I28> . 

The proof of the remaining parts of this lemma now follow 
directly from Eq. ( I28> and Corollary |2] ■ 

Lemma |3 and Corollary |3] generalize a similar result for 
qubits [22], [23]. In fact, the effect of LOCC2 EP is to reduce 
errors in the form XaZi, with a ^ at the expense of possibly 
increasing errors in the form Zc with c 7^ 0. I further remark 
that in case L is finite, e^f^ is determined by solving the 
classical problem of randomly pairing N'^ kinds of balls in an 
urn containing 2r£ balls. Therefore, e^^^ is related to the so- 
called multivariate hypergeometric distribution whose theory 
is reviewed extensively in Ref. [28]. 
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In the qubit case, that is when N = p = 2, Eqs. (I24> 
and ( I25l l demand that eqi = eio = en = (1 — eoo)/3. In 
other words, the evolution of QER under the action of LOCC2 
EP depends on a single parameter, namely, eop. Nevertheless, 
the situation is more complicated when N > 2 because e^f 
depends on more than one parameter Fortunately, as we shall 
see later on, it is possible to determine the worst case scenario 
for Cab when the number of rounds of LOCC2 EP, k, is 
sufficiently large when p = 2. 

Lemma 5: The following two statements hold provided that 
either (1) p = 2 and epo > l/(iV + 2) or (2) p > 2 and 
eoo>2/(7V + 3). 

(a) The maximum term in the denominator of Eq. ( I28> is 

iJ2j(^GF{N) ^0])'^ ■ 

(b) Cqq^ > CQfp^ whenever 6 7^ 0. 

Proof: To prove the first statement, I first consider the 
p = 2 case. Using Corollary |2l plus the two constraints in 
Eqs. ( I24t and ( I25t . we have eoo > (1 — eoo)/{N + 1) = 
J2j^o^oj > Gab for all (a, 6) 7^ (0,0). Hence, Corollary |2l 
demands that J^ji^oj - e^) > eoo - J2j^o ^oj > for all 
i 7^ 0. By the same argument, in the p > 2 case, J^ji^^j ~ 
e^J) > eoo - 2(1 - eoo)/(iV + 1) > for all i ^ 0. 



To prove the second statement, I express 



„fcEP 



(fe-1) EP 



-Ob 



by invoking Eq. (I27> . The denominator of 



terms of e 

this expression is positive and the numerator is given by 



„(fc-l)EP 



E 

cGGF{N) 

E (fc-1)EP 
^Oc 

cGGF{N) 



(fc-l)EP _ (A;-1)EP 
^0,b-c 



Jfe-1)EP _ (fc-l)EP 



5 E Kr' 



-1)EP _ (fe-l)EP 
^O.b-c 



(33) 



ceGF(JV) 



where I have used Lemma |4] to arrive at the second line. 
Therefore, Cqq^ > Cq^^ for all b. In fact, our assumption 
on the value of eoo implies eoo > eof, for all 6 7^ 0. Hence 
from Eq. i33i . statement (b) holds for fc = 1. The validity 
of statement (b) for all k E Z+ can then be shown by 
mathematical induction on fc. ■ 

Theorem 3: In the limit of large number of quantum particle 
transmitted from Alice to Bob, the XaZb error rate after PEC 
e^'^ using [r, 1, r]jv majority vote code satisfies 



E E ^r<-E E 



„fcEP 



(34) 



Moreover, if p = 2 and eoo > l/(^ + 2), then 



Proof: Recall that the error syndrome of the [r, l,r]jv 
majority vote code is 



(36) 



Therefore, after measuring the (phase) error syndrome, Zb 
error stays on the control register while Xa error propagates 
from the control as well as all target registers to the resultant 
control quantum register [29]. Specifically, suppose the error 
on the ith quantum register is Xa^Zb^ for i = l,2,...,r. 
Then, after measuring the error syndrome, the resultant error 



in the remaining control register equals Xa^ 



Con- 



sequently, upon PEC, the error in the remaining register is 

Xai^ \rar-Zb where b is the majority of 6^ (i = 1,2,..., r). 

In other words, after PEC, spin flip error rates are increased 
by at most r times. Hence, Eq. i34l holds. 

By the same argument used in Lemma|3 in the limit of large 
number of quantum register transfer, the rate of any kind of 
phase error after PEC, J2ieGF{N) J2j^o ^^f^^ satisfies 



E E^r 

i€GF{N) j^O 

< {N — 1) max{Pr (the number of registers suffering 
from error in the form XaZi is greater than or 
equal to those suffering from error in the form Xa 
when drawn from a random sample of r registers, 
given a fixed eoo)}, (37) 



as k 



00. 



E E^r 



iGGF(JV) 



< (iv-1) 



(eoo 



N+1 ) 



2(eoo 



l-eoo X2'' + i 
N+l I 



(35) 



where the maximum is taken over all possible probabilities 
with different e^h's satisfying the constraints in Eqs. MA\ 
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and j25t . I denote the sum ^ 

„PEC 



i(£GF{N) ^ib 



'^EP by e''/^. Then, 



ieGF(N) j^O 



< (7V-l)max{ 







(1 



„fcEP\r- 
^Zi ) 



(e 



fcEP 

Zo ' 



Pr(the number of registers suffering 



from error in the form XaZi is greater than or 
equals to those suffering from error in the from Xa 
when drawn from a random sample of s registers, 
given that these s registers are suffering from error 
in the form XaZi, for & = 0, 1 and given a fixed eoo)} 



< 



(A^ - 1) max{ 



s=0 



(1 



„fcEP 



-Zi ) 



(e 



fcEP 
Zo 



+ e 



feEPN 



exp 




ofeEP 



^feEP 



+ e 



fcEP 
Zi , 



(7V-l)max{{l-(4f + e|f) 







-2[l/2-e|f/(e|.;;''+e|f)] 



1 



< 



(7V-l)max{[l-2t(e|f + e|f)x 

21 



„ EP 1^ „ fc EP 



-Zx 



} 



(38) 



where i ^ 1 as /c ^ oo. Note that I have used Eq. (1.2.5) in 
Ref. [30] to arrive at the second inequality above. (Eq. (1.2.5) 

for 



,fcEP 
Za 



> e 



fcEP 
Zi 



is applicable because Lemma |5] implies that 
a sufficiently large k.) 

Since eoo satisfies p = 2 and eoo > i/{N + 2), Lemma |5l 
tells us that (X^^fG- FWi ^Oj)^ '■^^ dominant term in the 
denominator of Eq. ( I28I I when k is sufficiently large. Thus, 
it is easy to check that both e^^^/e^^^ and 

eoo)/(^ 



using Eq. (128 



e^J^^ are maximized if 



eab = (1 - eoo)/(iV + 1) 
for all (a, b) ^ (0, 1) when subjected to the following two 
constraints: (1) eoo is fixed; and (2) Eqs. J24> and (125 > are 
satisfied. Therefore, the last line of Eq. ( I38> is maximized if 
Eq. i29i holds. Consequently, Eqs. ( I30> and (|32} imply the 
validity of Eq. i35\ . ■ 

The above theorem tells us that the effect of PEC is reducing 
errors in the form XaZi, with 6 7^ at the expense of 
possibly increasing errors in the form Xc with c ^ 0. For this 
reason, powerful signal privacy amplification procedure can be 
constructed by suitably combining LOCC2 EP and PEC. 

Now, I am going to prove the unconditional security of 
Scheme A. 

Theorem 4: Let = p" be a prime power, e^, e/ and 5 be 
three arbitrarily small but fixed positive numbers. Define 

(iV + l)(V5-2) 



for p 



(39) 



l + (7V + l)(V5-2) 

Then, the entanglement-based QKD Scheme A involving the 
transfer of A^-dimensional quantum particles is uncondition- 
ally secure with security parameters (ep, e/) when the number 



of quantum register transfer L = L{ep,ej,S) is sufficiently 
large. Specifically, provided that Alice and Bob abort the 
scheme whenever the estimated QER in step |2] is greater than 
^gQER _ j-j^ j-jjgjj jjjg secret key generated by Alice and Bob 
is provably secure in the L ^ 00 limit. In fact, if Eve uses 
an eavesdropping strategy with at least ep chance of passing 
the signal quality test stage in step|2l the mutual information 
between Eve's measurement results after eavesdropping and 
the final secret key is less than e/. In this respect. Scheme A 
tolerates asymptotically up to e'3™ QER. 

Proof: Since L > (iV + 1)* log[(iV + l)/ep]/d^N^, 
therefore by applying Lemma |3l and Theorem |2| I conclude 
that by testing 0([iV + 1]^ log{[iV + l]/ep}/S'^N^) pairs, any 
eavesdropping strategy that causes a QER higher than e*^^** 
has less than ep chance of passing the signal quality test stage 
in step |2] of Scheme A. (Similarly, if the QER is less than 
(gQER _ 2(5), it has at least (1 — ep) chance of passing step|2| 
As 6 can be chosen to be arbitrarily small, the signal quality 
test stage in step|2lof Scheme A is not overly conservative.) 

Now, suppose that Alice and Bob arrive at the signal privacy 
amplification stage in step|3]of Scheme A. Since L 00, the 
quantum particle pairs used in the signal quality test stage 
in step 121 do not affect the error rates Cab's of the remaining 
untested particle pairs. 

First, I consider the case when p = 2. After apply- 
ing k rounds of LOCC2 EP, Alice and Bob may con- 
sider picking r used in the majority vote PEC to be 

e//2EjGGFUV)Ej5^oSy^^- ^" of /c -> cx). Corol- 

laries |2l and pimply that in the worst case scenario, there 
are at most two distinct b ~ b{a) and b' = b'{a) such that 
Gafc, Cab' > for all a 7^ 0. Hence, r can be chosen to be 

^ ej[e,, + {l-e,,)l{N + l)f 
^7V[2(l-eoo)/(A^ + l)]2'= 

whenever eoo > ^/{X + 2), where £ is the number of quantum 
particle pairs Alice and Bob share immediately after the PEC 
procedure in step |3j). Besides, r ^ 00 in the k ^ 00 limit. 
So, from Eqs. ^ and (|35} in Theorem |3l the QER of the 
remaining quantum registers after PEC, e'""'*' is upper-bounded 
by 



efi-i<| + (7V-l)exp 



'e/(eoo 



l-epo ',2" 
AT+l J 



2lN{eoo 



l-epo '(2'' r 2(1 — 600) 12'' 
AT+l I i N+1 



In other words. 



„final 



< £/ /i provided that 



1 - e 



n 2 



eoo 



00 



N + 1 



> 



2(1 ^ eoo) 
iV+ 1 



eoo 



1 - eoo 



This condition is satisfied if and only if 

1 

eoo > 



(41) 



(42) 



(43) 



l + (iV+l)(\/5-2)' 

It is easy to verify that the constraint in Eq. ( I43> is consistent 
with the assumption that eoo > + 2). Hence, provided 

that the initial QER satisfies 



(ij)#(0,0) 



l + (iV + l)(V5-2) 



(44) 
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N 


Tolerable SBMER 


Tolerable BER 


2 


27.64% 


27.64% 


4 


43.31% 


27.07% 


8 


60.44% 


32.74% 


16 


75.34% 


38.85% 



TABLE II 

The tolerable SBMER and BER for Scheme A and hence also 
Scheme B for 2" < 16. As pointed out in the text, the values of 

SBMER AND BER SHOULD NOT BE COMPARED DIRECTLY. 



the fidehty of the I quantum particle pairs shared between 
Alice and Bob immediately before they perform standard basis 
measurement to obtain their secret key is at least i— gfin^i > i — 
tijl. By Footnote 28 in [3], the mutual information between 
Eve's final measurement result after eavesdropping and the 
final secret key is at most e/. Thus, if Alice and Bob abort the 
scheme if the estimated QER in step |2| exceeds (e'^™ — (5), 
the secret key generated is provably secure. More importantly, 
the scheme is unconditionally secure with security parameters 
(ep,e/)- ■ 

A few remarks are in order. First, the unconditional security 
of Scheme A for p > 2 can be proven in a similar way. 
However, the computation of e*^^*^ is getting messy as the 
condition for minimizing e*^^*^ turns out to be N dependent. 

Second, from Corollary □ when p = 2, GF{N)I 
{(0,5)/ ~: 6 e GF{N)} and hence the ratio between QER 
and SBMER for any kind of eavesdropping attacks equals 
{N + 1) : iV. In contrast, when p > 2, such a ratio varies 
between {N + 1) : {N — 1) and 1 : 1. Combining these 
observations with Theorem |3 I conclude that the maximum 
tolerable SBMER for Scheme A is given by 



„SBMER 



N+1 

(Ar-l)eQ' 
N+1 



ifp = 2, 



if p > 2. 



In addition, if p ~ 2, Corollary |2l implies that there is a 
unique a 7^ such that (0,1) ~ (a, 5) ~ (a, 5') for some 
h 7^ b' . Hence, no matter which bijective map Alice and 
Bob use to convert their standard basis measurement result of 
an A^-dimensional quantum particle into a log2 A^-bit string, 
the ratio between QER and BER is at least (A^ + 1) : (1 + 
0.5A^log2 iV)/ log2 A^- Consequently, the maximum tolerable 
BER for Scheme A is given by 



„SBMER 



1 



I tabulate the tolerable SBMER and BER in Table|II| However, 
I must emphasize once again that according to the discussions 
in Subsection IIV-AI we should not and cannot deduce the 
relative error tolerance capability from Table [II] 

Third, I study the tolerable error rate of Scheme A as a 
function of A^. Table HI] shows that the maximum tolerable 
BER e^^*^ for = 2 is the same as the one obtained earlier 
by Chau in Ref. [23]. More importantly, e^"^"^^ 
n increases. 



Actually, according to Eqs. j39> and Eqs. j45>-j46>. the 
tolerable SBMER and BER tend to 100% and 50% respec- 
tively as 2" 00. More precisely, as n — > 00, the tolerable 
BER for Scheme A using 2"-level quantum particles scales as 
« 1/2- (3 + v^)/2"+i. 

On the other hand, the lemma below set the upper Umit for 
the tolerable SBMER for Scheme A. 

Lemma 6: The tolerable SBMER for Scheme A is upper- 
bounded by {N-l)/{N+\) if p = 2 and {N-lf/[N{N + 
1)] if p > 2. In fact, these bounds are set by the following 
interpret-and-resend strategy: Eve randomly and independently 
measures each A^-dimensional particle in the insecure quantum 
channel in the standard basis {|0), |1), . . . , — 1)}. Then, 
she records the measurement result and resends the measured 
particle to Bob. 

Proof: The proof follows the idea reported in Ref. [22]. 
Clearly, using this intercept-and-resend strategy, no quantum 
correlation between Alice and Bob can survive and hence no 
provably secure key can be distributed. Thus, this eavesdrop- 
ping strategy set the upper bound for the tolerable SMBER 
and BER for Scheme A. It is easy to check that the bases 
{T'iO) , r*| 1) , . . . , I A^ - 1) } where i = 0, 1, . . . , A^ if p = 2 
and i = 0, 1, . . . , (A^ — l)/2 if p > 2 are mutually unbiased. 
(A proof can be found in Lemma^in Section Ivlbelow.) Con- 
sequently, if it turns out that the measured qubit is prepared in 
the standard basis, that qubit will be accepted by Scheme A 
as error-free. In contrast, if the measured qubit is not prepared 
in the standard basis, it has (A^ — 1)/A^ chance of being 
detected as erroneous. Therefore, the tolerable SBMER is 
upper-bounded byAf/(A^+l)x(A^-l)/A^=(Af-l)/(A^+l) 
if p = 2 and [(A^ + l)/2 - 1]/[{N + l)/2] y. {N -\)/N ^ 
(A^- 1)V[A^(A^+ 1)] if p > 2. ■ 

Thus, the difference between the tolerable SBMER and its 
theoretical upper bound tends to zero in the limit of large A^. 
So in the limit, the error tolerance capability of Scheme A 
approaches its maximally allowable value. 

Fourth, readers may wonder why Scheme A is highly error- 
tolerant especially when A^ is large. Recall that Eve does 
not know which particles are in set Si when the particles 
are transmitted from Alice to Bob. Hence, in the limit of 
large number of quantum particle transfer L, Cab satisfies 
the constraints in Eqs. i24\ and (125 > . This greatly limits the 
relative occurrence rates between different types of quantum 
errors. At this point, the LOCC2 EP becomes a powerful tool 
to reduce the spin errors at the expense of increasing phase 
errors. Furthermore, provided that the condition in Lemma |5] 
(46) holds, e|^^ > e|^^ for all & 7^ 0. In other words, the dominant 



(45) 



increases as 



kind of phase error is having no phase error at all. Thus, the 
majority vote PEC procedure is effective in bringing down the 
phase error. This is the underlying reason why Scheme A is 
so powerful that in the Hmit N ^ 00, e^^'^^'^ ^1". 

Fifth, the privacy amplification performed in Scheme A is 
based entirely on entanglement purification and phase error 
correction. In fact, the key ingredient in reducing the QER 
used in the proof of Theorem |4] is the validity of conditions 
shown in Eq. J42t . Nonetheless, there is no need to bring down 
the QER to an exponentially small number. In fact, one may 
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devise an equally secure scheme by following the adaptive 
procedure introduced by Chau in Ref. [23]. That is to say, 
Alice and Bob may switch to a concatenated Calderbank- 
Shor-Steane quantum code when the PEC brings down the 
QER to about 5%. The strategy of adding an extra step 
of quantum error correction towards the end of the privacy 
amplification procedure may increase the key generation rate. 
This is because from the proof of Theorem |3 together with 
Eq. ( I40> . I conclude that in order to bring the QER down 
to less than e after k rounds of LOCC2 EP, Alice and Bob 
have to choose r and hence the number of quantum registers 
needed in PEC to be ^ ec^ for some constant c > 1. In 
contrast, by randomizing the quantum registers, the QER after 
each application of the Steane's seven quantum register code 
is reduced quadratically whenever the QER is less than about 
5%. Consequently, Alice and Bob may increase the key gener- 
ation rate by performing less rounds of L0CC2 EP, choosing 
e « 0.01, and finally adding a few rounds of Calderbank-Shor- 
Steane code quantum error correction procedure. 

V. Reduction To The Prepare-And-Measure 
Scheme 

Finally, I apply the standard Shor and Preskill proof [20] to 
reduce the entanglement-based Scheme A to a provably secure 
prepare-and-measure scheme in this section. Let me first write 
down the detail procedures of Scheme B before showing its 
security. 

Prepare-and-measure QKD Scheme B 

1) Alice randomly and independently prepares L ^ 1 
quantum particles in the standard basis. She applies 
one of the following unitary transformation to each 
particle randomly and independently: /, T, T^, . . . , T^. 
Alice records the states and transformations she applied 
and then sends the states to Bob. He acknowledges 
the reception of these particles and then applies one of 
the following transformation to each received particles 
randomly and independently: /"i, T^i, T'^, . . . , T"^. 
Now, Alice and Bob publicly reveal their unitary trans- 
formations applied to each particle. A particle is kept 
and is said to be in the set Si if Alice and Bob have 
applied T* and T^* to it respectively. Bob measures 
the particles in Si in the standard basis and records the 
measurement results. 

2) Alice and Bob estimate the quantum channel error 
rate by sacrificing a few particles. Specifically, they 
randomly pick 0([iV + 1]^ \og{[N + l]/e}/S^N^) pairs 
from each of the (A^ + 1) sets Si and publicly reveal the 
preparation and measured states for each of them. In this 
way, they obtain the estimated channel error rate within 
standard deviation S with probability at least (1 — e). If 
the channel error rate is too high, they abort the scheme 
and start all over again. 

3) Alice and Bob perform the following privacy amplifica- 
tion procedure. 

a) They apply the privacy amplification procedure 
with two way classical communication similar to 
the ones reported in Refs. [22], [23]. Specifically, 



Alice and Bob randomly group their corresponding 
remaining quantum particles in pairs. Suppose the 
jth particle of the ith pair was initially prepared 
in the state \si ). Then, Alice publicly announces 
the value s^^ — G GF{N) for each pair i. 
Similarly, Bob publicly announces the value s^^ — 
where ) is the measurement result of the 
jth particle in the ith pair. They keep one of their 
corresponding registers of the pair only when their 
announced values the corresponding pairs agree. 
They repeat the above procedure until there is 
an integer r > such that a single application 
of step |3j) will bring the quantum channel error 
rate of the resultant particles down to ej/i'^ for a 
fixed security parameter e/ > 0, where r£ is the 
number of remaining quantum particles they have. 
They abort the scheme either when r is greater 
than the number of remaining quantum particles 
they possess or when they have used up all their 
quantum particles in this procedure, 
b) They apply the majority vote phase error correction 
procedure introduced by Gottesman and Lo [22]. 
Specifically, Alice and Bob randomly divide their 
corresponding resultant particles into sets each 
containing r particles. They replace each set by 
the sum of the values prepared or measured of the 
r particles in the set. These replaced values are bits 
of their final secure key string. 

Theorem 5 (Based on Shor and Preskill [20]): Scheme A 
in Section Hill and Scheme B above are equally secure. Thus, 
conclusions of Theorem |4] is also applicable to Scheme B. 

Proof: Recall from Ref. [20] that Alice may measure all 
her share of quantum registers right at step in Scheme A 
without affecting the security of the scheme. Besides, LOCC2 
EP and PEC procedures in Scheme A simply permute the 
measurement basis. More importantly, the final secret key 
generation does not make use of the phase information of 
the transmitted quantum registers. Hence, the Shor-Preskill 
argument in Ref. [20] can be applied to Scheme A, giving 
us an equally secure prepare-and-measure Scheme B above. 

■ 

From the discussions in Subsection llV-AI we should not and 
cannot compare the error tolerant capability of Scheme B that 
uses unentangled quantum particles of different dimensions 
as information carrier Nonetheless, we may compare the 
error tolerant capability of the entangled-qubit-based prepare- 
and-measure QKD scheme derived from Scheme B against 
the same eavesdropping attack. Recall that in the absence 
of quantum storage, we may regard the transfer of a 16- 
dimensional quantum particle as the transfer of 4 consecutive 
qubits in the insecure quantum channel. Now, I consider the 
following eavesdropping strategy: Qubits passing through the 
insecure communication channel are partitioned into sets each 
containing 4 consecutive qubits. Eve randomly and indepen- 
dently measure each set in the standard basis with probability 
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q. Suppose q satisfies 

0.8292 « — (5-V5) <q< -TT777(19-V5) w 0.8539. (47) 
10 1335 

From Lemma |6l and Eq. ( I46> . the BER caused by this eaves- 
dropping strategy on the entangled-qubit-based prepare-and- 
measure QKD scheme derived from Scheme B for iV = 2" is 
given by el™ (N) ^ q{N -l){Nn + 2)/[2Nn{N+l)]. Using 
Eqs. (E)-<E3, I conclude that e|™(2) > (5 - %/5)/10. 
In other words, e|™(2) is greater than tolerable BERs of 
all known unentangled-qubit-based prepare-and-measure QKD 
schemes to date. In contrast, e|™(16) < 33(19 - %/5)/1424. 
Hence, from Theorem|5]together with Eqs. ( I39l l, ( I45l l and ( I46> , 
Scheme B can generate a provably secure key under this 
eavesdropping attack when N — 16. Actually, one may 
construct an eavesdropping attack that can be tolerated by the 
entangled-qubit-based prepare-and-measure scheme derived 
from Scheme B for a fixed = 2" > 16 in a similar way. 
(The strategy is partition the qubits into sets each containing n 
consecutive qubits. Eve makes standard basis measurement on 
each set with probability q chosen from an interval similar to 
the one stated in Eq. ( I47> .) All known unentangled-qubit-based 
prepare-and-measure schemes to date, in contrast, cannot 
generate a provably secure key under the same attack. 

On the other hand, suppose Eve chooses a slightly different 
strategy by measuring randomly and independently a qubit 
in each set of 4 consecutive qubits with probability q' = 
1 - [(43 + 68V5)/1335]i/4 w 0.3817 in the standard basis. 
Under this modified eavesdropping attack, the probability that 
a randomly chosen 4 consecutive qubits are not chosen equals 
(1 — g')^ in the limit of large number of qubit transfer 
Thus, the BER induced by this attack on the entangled-qubit- 
based prepare-and-measure scheme derived from Scheme B 
for = 16 is given by [1 - (1 - q')%N - l){Nn + 
2)/[2Nn{N + 1)] = 33(19 - V5)/1424. This BER rate is 
just too high for the entangled-qubit-based scheme derived 
from Scheme B for = 16 to handle. In contrast, the BER 
caused by the same eavesdropping attack for the six-state 
scheme equals q'/3 « 0.1272. This attack, therefore, can 
be handled easily by the unentangled-qubit-based prepared- 
and-measure QKD scheme introduced by Chau in Ref. [23]. 
To summarize, the entangled-qubit-based prepare-and-measure 
scheme derived from Scheme B for > 2 is more error 
resilience when dealing with burst type of errors than the 
unentangled-qubit-based prepare-and-measure schemes. 

Now, I need to point out an important remark on the 
number of different kinds of states Alice have to prepare in 
Scheme B. To distribute the key using an A^-level quantum 
system with A^ = 2", Corollary [T] tells us that ^ I 
for all fc = 1, 2, . . . , A^. Therefore, T*|j)'s are distinct states 
for < i < A^ and j e GF{N). Thus, Scheme B is a 
A^(A^ + l)-state scheme. In contrast, if A^ = p" with p > 2, 
then T(^+i)/2 = -/ by Corollary [T] Hence, in this case, 
upon measurement on the standard basis. Scheme B is a 
A''(A''+l)/2-state scheme. This observation suggests that there 
may be rooms for improving the error tolerance rate of an 
prepare-and-measure QKD scheme involving A^-dimensional 
quantum particles for an odd A^. 



Finally, I remark that the lemma below suggests the possi- 
bility of a subtle relation between Scheme B and the so-called 
mutually unbiased bases. 

Lemma 7: \f N — 2", then the bases {|fc)}fceGF(JV)> 

{T\k)}keGF(N), {T^\k)}k&GF(N), • • • , {T^|fc>}fceGF(JV) are 
mutually unbiased. While if A^ = p" with p > 2, the bases 

{\k)}keGF(N), {T\k)}keGFiN),--., {T^''+''>/'\k)}keGFiN) 

are mutually unbiased. 

Proof: I shall only consider the case when A^ = 2". The 
other case can be proven in the same way. Let < i < i' < N. 
I consider the equation 

(fc'|rV'''|fc) = {0\ZjX^k'T''-'Xk\0), (48) 

which holds for all j e GF{N). Since < i' - i < N, 

Corollary [2 implies that M{T^ is in the form ^ ^ 

for some & 7^ 0. Therefore, applying Eqs. (|5} and (|8} to 
the right hand side of Eq. ( I48> gives an expression pro- 
portional to {Q\T''-'Xk-k'a+,bZ-k'b+,c\Q) = (0|T^'-'|fc- 
k'a + jb). More importantly, the magnitude of the propor- 
tionality constant equals 1 for all j, k,k' E GF{N). Hence, 
\{k'\T'\k)\^ = |(fc"|T'|fc)|2 for all k,k',k" e GF{N) when- 
ever < I < A^. Hence, {\k)}keGF{N), {T\k)}keGF{N), 
{T^\k)}k£GF(N) are mutually unbiased. ■ 

Since the maximum number of mutually unbiased bases 
equals (A^ + 1) for any prime power A^ [31], [32], [33], the 
construction in Scheme B provides a simple way to build such 
mutually unbiased bases for Af = 2". Perhaps one may build 
a more error tolerant QKD scheme using mutually unbiased 
bases for the case of an odd prime power A^. 

VI. Discussions 

In summary, I have introduced a prepared-and-measured 
QKD scheme (Scheme B) and proved its unconditional se- 
curity. In particular, I show that for a sufficiently large Hilbert 
space dimension of quantum particles A^ used. Scheme B 
generates a provably secure key close to 100% SBMER or 
50% BER. This result demonstrates the advantage of using 
unentangled higher dimensional quantum particles as signal 
carriers in QKD. 

A variation to the theme is worth discussing. Suppose Alice 
can only send qubits. Besides, she can entangle the qubits 
but she cannot store them. Then, she may group n qubits 
together as a 2"-dimensional system and apply Scheme B. 
Under this situation. Scheme B can generate a provably secure 
key under certain eavesdropping attack whenever n > 4. 
In contrast, no unentangled-qubit-based prepare-and-measure 
QKD scheme known to date can tolerate the same eavesdrop- 
ping attack. Nonetheless, there exists another eavesdropping 
attack that Scheme B cannot tolerate unless N — 2. Recall 
that Scheme B is equivalent to the unentangled-qubit-based 
prepare-and-measure scheme proposed by Chau in Ref. [23]. 
Therefore, the ability to create, transfer but not to store en- 
tangle qubits is advantageous in quantum cryptography using 
certain quantum channels with burst errors. 

There is a tradeoff between the error tolerance rate and key 
generation efficiency, however It is clear from the proof of 
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Theorem 01 that r and hence the number of quantum particle 
transfer from Ahce and Bob L scales as 2'^. Besides, the 
probability that the measurement results agree and hence the 
control quantum register pairs are kept in LOCC2 EP equals 
w in the worst case. As a result, while the Scheme B is 
highly error-tolerant, it generates a secret key with exponen- 
tially small efficiency in the worst case scenario. Fortunately, 
the adaptive nature of Scheme B makes sure that this scenario 
will not happen when the error rate of the channel is small. To 
conclude, in most practical situations, Alice and Bob should 
choose the smallest possible N whose corresponding e^®'^^'^ 
is slightly larger than the channel standard basis measurement 
error rate. In this way, they can almost surely generate their 
provably secure key at the highest possible rate. 

As I have noted in Section [Vj there may be room for 
improving the error tolerance rate in the case p > 2 since 
Scheme B uses only N{N + l)/2 different quantum states 
in signal transmission. It is instructive to explore such a 
possibility. 
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